Dear Riley Hassell, --Saturday, April 13, 2002, 2:15:47 AM, you wrote to vuln-devat_private: RH> "POST /iisstart.asp HTTP/1.1\r\n" RH> "Accept: */*\r\n" RH> "Host: eeye.com\r\n" RH> "Content-Type: application/x-www-form-urlencoded\r\n" RH> "Transfer-Encoding: chunked\r\n" RH> "\r\n" RH> "1\r\n" RH> "E\r\n" RH> "0\r\n" RH> "\r\n" RH> "\r\n" RH> "\r\n" In my case it produces no error and simply responses with page content after "\r\n" "1\r\n" "E\r\n" "0\r\n" "\r\n" RH> It won't overwrite anything mission critical so the dllhost shouldn't lock RH> up or exit. If you're vulnerable then you'll the following string in the RH> error message "(0x80004005)<br>Unspecified". When a server is patched it RH> will respond with a new error, I believe it's (0x80004005)<br>Request... RH> You can also try putting NULL's in strange places in you request. The rollup RH> fixes a problem in parsing requests with NULLs. When IIS see's something RH> invalid in a request it will error back with "parameter incorrect", on an RH> unpatched system the responses will vary. -- ~/ZARAZA ...без дубинки никогда не принимался он за программирование. (Лем)
This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 08:22:01 PDT